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DETAILED ACTION 

1. This is a Final Office Action in response to the applicant's communication filed on May 
02, 2008. 

2. Claims 1-2, 4-16 and 18-25 have been examined and are pending. 

Response to Arguments 

3. Applicant's arguments with respect to claims 1-2, 4-16 and 18-25 have been considered 
but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth 
in section 102 of this title, if the differences between the subject matter sought to be patented and the prior 
art are such that the subject matter as a whole would have been obvious at the time the invention was made 
to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

5. Claims 1-2, 4-16 and 18-25 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Moran (US Pat. No.: 6, 647, 400) in view of Rowland et al. (hereinafter referred to as 
Rowland, US Pub. No.: 2002/0129264). 



As per claim 1 : 
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Moran discloses an method for detecting intrusion in a host via a monitoring daemon 
operating in conjunction with a configuration file defining data entities to be monitored, the 
method comprising: 

monitoring data entities via comparing a locally stored copy of a digital signature 
associated with each data entity against a corresponding digital signature stored in a first 
remote database (column 4: lines 1-15; figure 9: compute signature of a file; Does signature 
match the previously computed signature for file; Abstract; column 4: lines 17-23; column 
32: lines 49-59). 



Moran does not explicitly disclose upon identifying a mismatch in compared digital 
signatures, issuing an instruction to record an entry in a log file located in a second remote 
database, said entry identifying a possible intrusion in a host and issuing a command to an 
operating system of said host to bring said host to a single user state. Rowland, in analogous art, 
however, discloses upon identifying a mismatch in compared digital signatures, issuing an 
instruction to record an entry in a log file located in a second remote database, said entry 
identifying a possible intrusion in a host and issuing a command to an operating system of said 
host to bring said host to a single user state (0037; 0053; 0065; 00145; 0148). Therefore, it would 
have been obvious to a person having ordinary skill in the art at the time the invention was made 
to modify the system disclosed by Moran to include and issuing a command to an operating 
system of said host to bring said host to a single user state. This modification would have been 
obvious because a person having ordinary skill in the art would have been motivated to do so to 
provide a generic distributed command, control, and communication framework that allows 
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computer systems, devices, and operational personnel to interact with a network as a unified 
entity as suggested by Rowland (0007). 

As per claim 2: 

Rowland discloses issuing a command to bring down said one or more network interfaces 
to isolate and host upon identifying the mismatch in compared digital signatures (0037; 0053; 
0065; 00145; 0148).. 

As per claim 4: 

Rowland discloses said first remote database and said second remote database are located 
on a single server or a plurality of servers belonging to a local area network (0037; 0053; 0147). 

As per claim 5 : 

Rowland discloses communications between said host and first remote database are 
encrypted (0027; 0068; 0074; 075). 

As per claim 6: 

Rowland discloses communications between said host and second remote database are 
encrypted (0027; 0068; 0074; 075). 



As per claim 7: 
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Moran discloses said digital signature is an MD5 signature and said first remote database 
is an MD5 database (column 3 1 : lines 46-55). 

As per claim 8: 

Moran discloses said second remote database is a SYSLOG database (column 24: lines 

47-64). 

As per claim 9: 

Moran discloses said data entities comprises one or more system files, configuration files, 
or directories (column 4: lines 5-35). 

As per claim 10: 

Moran discloses a system to detect intrusion comprising: 

a host running a monitoring daemon working in conjunction with a configuration file, 
said configuration file identifying files and directories to be monitored in said host and said 
host communicating with external networks via one or more network interfaces, said 
monitoring daemon dynamically monitoring said files and directories identified by said 
configuration file by comparing a locally stored digital signature corresponding to each file 
or directory against a remotely stored corresponding digital signature (column 4: lines 1-15; 
figure 9: compute signature of a file; Does signature match the previously computed 
signature for file); 
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a digital signature database remote from said host storing said digital signatures 
associated with files and directories identified by said configuration file (Abstract; column 4: 
lines 17-23; column 32: lines 49-59); and 

a log database remote from said host recording entries corresponding to mismatches 
between a digital signature stored in said host and a corresponding digital signature in said 
digital signature database (column 32: lines 6-22; column 32: lines 49-59; column 33: lines 
36-41). 



Moran does not explicitly disclose a log database remote from said host recording entries 
corresponding to mismatches between a digital signature stored in said host and a corresponding 
digital signature in said digital signature database and wherein a mismatch identifies a possible 
intrusion in the host, resulting in a command being issued to an operating system of said host to 
bring said host to a single user state. Rowland, in analogous art, however, discloses a log 
database remote from said host recording entries corresponding to mismatches between a digital 
signature stored in said host and a corresponding digital signature in said digital signature 
database and wherein a mismatch identifies a possible intrusion in the host, resulting in a 
command being issued to an operating system of said host to bring said host to a single user state 
(0037; 0053; 0065; 00145; 0148). Therefore, it would have been obvious to a person having 
ordinary skill in the art at the time the invention was made to modify the system disclosed by 
Moran to include a log database remote from said host recording entries corresponding to 
mismatches between a digital signature stored in said host and a corresponding digital signature 
in said digital signature database and wherein a mismatch identifies a possible intrusion in the 
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host, resulting in a command being issued to an operating system of said host to bring said host 
to a single user state. This modification would have been obvious because a person having 
ordinary skill in the art would have been motivated to do so to provide a generic distributed 
command, control, and communication framework that allows computer systems, devices, and 
operational personnel to interact with a network as a unified entity as suggested by Rowland 
(0007). 

As per claim 1 1 : 

Moran discloses a system to detect intrusion, wherein said digital signature database and 
said log database are located on a single server or a plurality of servers belonging to a local area 
network (figure 3: 306, 308, 304). 

As per claim 12: 

Rowland discloses a system to detect intrusion, wherein communications between said 
host and said digital signature database are encrypted (0027; 0068; 0074; 075). 

As per claim 13: 

Rowland discloses a system to detect intrusion, wherein communications between said 
host and log database are encrypted (0027; 0068; 0074; 075). 



As per claim 14: 
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Moran discloses a system to detect intrusion, wherein said digital signature is an MD5 
signature and said first remote database is an MD5 database (column 31: lines 46-55). 

As per claim 15: 

Moran discloses an article of manufacture comprising a computer usable medium having 
computer readable program code embedded therein to detect intrusion in a host via a monitoring 
daemon operating in conjunction with a configuration file defining data entities to be monitored, 
said medium comprising: 

computer readable program code comprising executable instructions to monitor data 
entities via comparing a locally stored copy of a digital signature associated with each data 
entity against a corresponding digital signature stored in a first remote database (column 4: 
lines 1-15; figure 9: compute signature of a file; Does signature match the previously 
computed signature for file; Abstract; column 4: lines 17-23; column 32: lines 49-59); 

Moran does not explicitly disclose computer readable program code comprising 
executable instructions to issue an instruction to record an entry in a log file located in a second 
remote database upon identifying a mismatch in compared digital signature, said entry 
identifying a possible intrusion in said host and computer readable program code, comprising 
executable instructions to issue a command to an operating system of said host to bring said host 
to a single user state upon identifying the mismatch in compared digital signatures. Rowland, in 
analogous art, however, discloses computer readable program code comprising executable 
instructions to issue an instruction to record an entry in a log file located in a second remote 
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database upon identifying a mismatch in compared digital signature, said entry identifying a 
possible intrusion in said host and computer readable program code, comprising executable 
instructions to issue a command to an operating system of said host to bring said host to a single 
user state upon identifying the mismatch in compared digital signatures (0037; 0053; 0065; 
00145; 0148). Therefore, it would have been obvious to a person having ordinary skill in the art 
at the time the invention was made to modify the system disclosed by Moran to include computer 
readable program code comprising executable instructions to issue an instruction to record an 
entry in a log file located in a second remote database upon identifying a mismatch in compared 
digital signature, said entry identifying a possible intrusion in said host. This modification would 
have been obvious because a person having ordinary skill in the art would have been motivated 
to do so to provide a generic distributed command, control, and communication framework that 
allows computer systems, devices, and operational personnel to interact with a network as a 
unified entity as suggested by Rowland (0007). 

As per claim 16: 

Rowland discloses an article of manufacture, further comprising computer readable 
program code comprising executable instructions to issue a command to bring down one or more 
network interfaces to isolate said host upon identifying the mismatch in compared digital 
signatures (0037; 0053; 0065; 00145; 0148).. 



As per claim 18: 
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Moran discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, said host having one or more network interfaces to communicate 
over one or more networks, said method comprising: 

reading a configuration file to identify data entities to be monitored on a host (column 
4: lines 1-15); 

for each data entity to be monitored, extracting a digital signature from said host 
(figure 9: compute signature of a file); 

for each data entity to be monitored, querying a remote digital signature database via 
said one or more network interfaces and requesting a digital signature corresponding to said 
digital signature extracted from said host (figure 9: Does signature match the previously 
computed signature for file); 

for each data entity to be monitored, receiving said corresponding digital signature 
from said remote digital signature database (figure 3: 308, 306, 304, 312); and 

matching digital signature received from said remote digital signature database with 
digital signature extracted at said host (Abstract; column 4: lines 17-23; column 32: lines 49- 
59). 

Moran does not explicitly disclose upon identifying a mismatch, transmitting an 
instruction to a remote log database via said one or more network interfaces, said instruction 
executed in said remote log database to record an entry in a log file indicating a possible 
intrusion in said host and issuing a command to an operating system of said host to bring said 
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host to a single user state. Rowland, in analogous art, however, discloses upon identifying a 
mismatch, transmitting an instruction to a remote log database via said one or more network 
interfaces, said instruction executed in said remote log database to record an entry in a log file 
indicating a possible intrusion in said host and issuing a command to an operating system of said 
host to bring said host to a single user state (0037; 0053; 0065; 00145; 0148). Therefore, it would 
have been obvious to a person having ordinary skill in the art at the time the invention was made 
to modify the system disclosed by Moran to include upon identifying a mismatch, transmitting 
an instruction to a remote log database via said one or more network interfaces, said instruction 
executed in said remote log database to record an entry in a log file indicating a possible 
intrusion in said host and issuing a command to an operating system of said host to bring said 
host to a single user state. This modification would have been obvious because a person having 
ordinary skill in the art would have been motivated to do so to provide a generic distributed 
command, control, and communication framework that allows computer systems, devices, and 
operational personnel to interact with a network as a unified entity as suggested by Rowland 
(0007). 

As per claim 19: 

Rowland discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein said digital signature database and said log database are 
located on a single server or a plurality of servers belonging to a local area network (0037; 0053; 
0147). 
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As per claim 20: 

Rowland discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein communications between said host and digital signature 
database are encrypted (0027; 0068; 0074; 075). 

As per claim 21: 

Rowland discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein communications between said host and log database are 
encrypted (0027; 0068; 0074; 075). 

As per claim 22: 

Moran discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein said digital signature database is an MD5 database 
(column 31: lines 46-55). 

As per claim 23 : 

Moran discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein said log database is a SYSLOG database (column 24: lines 
47-64). 



As per claim 24: 
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Moran discloses an intrusion detection and isolation method implemented using a 
monitoring daemon in a host, wherein said data entities are any of the following: system files, 
configuration files, or directories (column 4: lines 5-35). 

As per claim 25 : 

Rowland discloses the intrusion detection and isolation, further comprising issuing a 
command to bring down said one or more network interfaces to isolate said host (0037; 0053; 
0065; 00145; 0148).. 

Conclusion 

6. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. See the notice of reference cited in form PTO-892 for additional prior art. 

7. Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
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however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 



Contact Information 

8. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Techane J. Gergiso whose telephone number is (571) 272-3784 
and fax number is (571 ) 273-3784. The examiner can normally be reached on 9:00am - 6:00pm. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Emmanuel Moise can be reached on (571) 272-3865. The fax phone number for the organization 
where this application or proceeding is assigned is 571-273-8300. 



Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR. Status information 
for unpublished applications is available through Private PAIR only. For more information 
about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access 
to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 
(toll-free). 
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Examiner, Art Unit 2137 
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